Nov. 17, 2020

Modern Infosec Practices for the Digital Workspace

Modern Infosec Practices for the Digital Workspace

Holly Grace Williams, Managing Director at Secarma Limited, shares infosec strategies for the modern workspace, including tools and practices for making remote or hybrid work more secure.


Adapting security to remote working, why VPNs aren't magic, building a career in infosec and more on this episode of DWW.

Our guest this week is Holly Grace Williams, Managing Director at Secarma Limited. Holly has thirteen years of experience in leading information security teams. Her early career was spent in the military working in roles such as Site Security Officer, although she now works with a wide range of organisations delivering penetration testing, information security consultancy, and strategy guidance. She holds a Master’s degree (MSc) in Information Security from Cardiff University.


Click here to join the Slack Workspace
Click here for the episode transcript
Holly's Twitter: @HollyGraceful
Follow us on Twitter: @thedwwpodcast Email us: podcast@digitalworkspace.works Visit us: www.digitalworkspace.works Subscribe to the podcast: click here
YouTube channel: click here

Transcript

Ryan Purvis  0:00  
Hello, and welcome to the digital workspace works podcast. I'm Ryan Purvis, your host supported by producer Heather Bicknell. In this series, you'll hear stories and opinions from experts in their field story from the frontlines, the problems they face and how they solve them. The years they're focused on from technology, people and processes to the approaches they took that will help you to get to the script for the digital workspace inner workings.

So while the money to the digital works podcast, we are very grateful to have you on and give us a good use of your time today.

Holly Grace Williams  0:38  
Thanks for having me.

Ryan Purvis  0:40  
Hey, do you want to give us a bit of background to yourself? And tell us a bit about what you think the digital workspaces?

Unknown Speaker  0:47  
Yes, the background to myself is fairly easy the way I typically introduce myself as I break into computers and buildings for a living. So a lot of what I do is what some people refer to as information security and what others refer to as ethical hacking. For me, the digital workspace really is all about collaboration. It's about how to work well together, how to work well electronically together. And I think that's probably been pushed to its its boundaries recently, with everybody working remotely and those kinds of things. I'm in the office today, but our entire team isn't here. So even so with me, being physically in the office, I'm still working collaboratively with people remotely. And the digital workspace is the thing that enables us to do that.

Ryan Purvis  1:24  
Great. I was actually looking at your background, wondering if it was a really good fake background. He was in office.

Unknown Speaker  1:28  
Now this is just the corner office. Yeah. There's nothing seen backgrounds here. That's why you can hear ping pong.

Ryan Purvis  1:34  
I agree. That's cool. So the background is turning is that I tend to mention training last week, and you did an hour on information security in which you described how to be really good to share with everybody else. Do you want to give us a bit of a rundown on that?

Unknown Speaker  1:51  
Yes, I can. I can tell you how that started. That's a series of mentorship programs for startups. So it's it's for the startup mentors. What we're talking about is cybersecurity for small businesses scale up startups and SMEs. And really how that was posed to me originally was like, can you do an hour on cyber security? So Well, yeah. But I mean, how do you curse cyber security down into an hour, right? So part of it is security awareness. So just covering the basics or talking about how bad passwords are and why they suck. And part of it is dispelling common misconceptions. So the misconceptions could be around who are hackers, or what we might refer to as threat actors to use the industry term for it. And a part of it is around how certain attacks work. So how do hackers crack passwords, what does password cracking mean? And those kinds of things, the idea being that the mentors will hopefully, of course, become more secure in the way that their work, but also they can pass that on to the startups on a scale up so that as they're concentrating on growing and concentrating on building products, that can help keep security in the back of their minds as they do that.

Ryan Purvis  2:56  
Great. Well, what have you seen now with, with your business, I mean, you your customers now becoming more aware of the security they need to have in place that didn't have before, potentially because of, you know, in a building, which they felt secured, equals?

Unknown Speaker  3:10  
Not necessarily there's a lot of organizations who maybe don't appreciate what their risk of remote working is, a lot of organizations treat VPNs as though their magic and that they don't necessarily consider things like their working environment that that's different. They don't necessarily consider things like the devices that staff members are on. And for a lot of organizations, because they've made the move to remote work and did your ass they haven't exactly had like a strategy or a plan for dealing with that. So for example, certain organizations you've suddenly very quickly introduced, Bring Your Own Device Policy, there's some organizations who have suddenly moved to remote working, who maybe didn't have a capacity for that previously, I think it's had a big security impact. And not every organization has necessarily performed the proper change management to handle it.

Ryan Purvis  3:57  
Yeah, I can believe that. If I look at how we've approached, I mean, boys designed to work from home. So we've had those trainings, who's been there. And the minute we walk in winter mode, and one of the first things to do is read it, read it all the training. And the training is not sort of the death by PowerPoint, you know, you sit there, we just throw it at you, you're gonna absorb it. It's it's scenario training, in conversation with Muay Thai and not everyone's done that and it is fantastic. The people working at the kitchen table with documents on the kitchen counter or the dining table that are sensitive, with a family walking around. I'm

Unknown Speaker  4:36  
sorry, it's not always the it's not always the family, right? Think about people who live in shared houses, that's quite common to main city environments for people to share apartments or be you know, three or four people in the same house. So it's not necessarily even family members. could just be you know, hazmats.

Ryan Purvis  4:51  
Yeah, exactly. Exactly. And you gotta you got to really put an additional level of conscientiousness around what you're doing every day. It's sort of an even sort of anecdotally people walk around the gardens talking on the phone and thinking about people this thing and the other gardens what they say.

Unknown Speaker  5:10  
Yeah, I remember seeing one person saying that their their company had complained to them saying that they need to make sure that they're in a private environment before taking sensitive calls. And the guy responds like I live in a studio apartment or drama to

Ryan Purvis  5:27  
be covered in in a session was around passwords and how easy it was to, to get them and break them down if you wanted to go through some of those other shows the slide deck, but but maybe some of the topics you covered in the recording quite interesting.

Unknown Speaker  5:42  
Yeah, I think the the big thing with passwords really is that they're fundamentally broken. And those in many cases, just a better alternative. So things like multi factor authentication that can be implemented so that it's not such a security inconvenience. And it can prevent a significant number of attacks, even quite sophisticated attacks. I think people think of multi factor authentication, just in the basic sense of maybe getting a six digit PIN number sent by text message to your mobile phone, for example. And there's lots of different ways of implementing it, you can have hardware tokens, you can have app best, to FA with a mobile device, you can type in numbers. And all of these different methods have a different kind of convenience factor to them, but they're an improvement over passwords. The big thing with password cracking or guessing passwords, is that a lot of people don't realize how it works. And in particular, how quickly tractors or hackers if you prefer, are able to get them. Very often the hacker isn't trying to log into the interface, but what we would do is we would, through a technical attack be able to capture a cryptographically did copy of the password. So some people may have heard the term password hash, to cryptographic cryptographically protected copy of the passer. We get these in all kinds of different places. A really good easy example for people to think of is wireless networks. When your device connects to your wireless network, it authenticates over the air. So if my devices within the wireless range of your wireless network, then I can take a copy of that handshake. And then I may be able to take the handshake away and perform a crack or a password guessing attack remotely. And because we're doing that remotely, we're not bumping up against things like account lockouts, because we're doing it remotely, we can get those passwords very, very quickly. So in the session that we did, last week, I showed some of the speeds that we can achieve Poseidon different kinds of password cracking. Now on the machine that I was using that demonstration for wireless passwords, I was able to attempt 6.5 million password attempts a second, which is a huge number,

Heather Bicknell  7:42  
our password managers sort of something that everyone should be using, in your opinion, Holly, or what's kind of the best way for, I guess, individuals to protect themselves. And then companies too. I know you mentioned MFA, but or two factor, but um, are those sort of the best solutions that we have currently to put some protections in place.

Unknown Speaker  8:03  
This is the problem with a lot of security stuff, you get down into the it depends area of security. So multi factor authentication is great. And that's why I would lead with that. But in some instances, people might find that just systems don't support multi factor authentication. And if that system doesn't have it implemented, so you can't use it, then you need to look for an alternative. password managers detect them in isolation are great at dealing with the fact that we can reuse passwords are a major insecurity and password managers can be a nice balance between convenience and insecurity. So it allows you to pick one long, random non deterministic password that send us to protect your other passwords, that can be implemented in a way that's nice and convenient. So you can use it on a mobile device, for example, then have something like face ID integration or touch ID integration to make accessing the password manager next and easy and it just saves all of your passwords for you. So people worry about, you know, what if the password manager gets hacked, that's a legitimate risk. And it's something that we should consider within our threat modeling and consider within, you know, how we handle risk. But for the average user, typically a weak easily guessable, or reused password is a significantly bigger insecurity that a password manager will ever have. So it's the balance of impact and prevalence there but yeah, password managers are awesome and multi factor authentication is awesome. And you should use both of them wherever you can. But when you look to implement them, you know don't just look immediately for you know, what is the the most secure option here, try and get a nice balance for usability and security. The reason I say that it might sound unusual coming from a security person to say that is if the the workflow if using that tool is is so inconvenient, it's so much duress for you to use that solution using injuries and multi factor authentication is awesome, but but it has to still enable you to to work and to do your job.

Ryan Purvis  9:54  
Yeah. And that's exactly why we use it as it's got a very nice Face it and then to your point around the friction of using these things, I find LastPass a bit painful to use sometimes to share credentials, there is pretty secure. And it is one of those that if someone would could hack into them, and I think they were hit once upon a time, and they actually they actually protect your materials are well, in this it's encrypted on the device.

Unknown Speaker  10:23  
LastPass has had a few security vulnerabilities. But one of the things I like about them in particular is they're very forthcoming with the information about the scenario fungibility is just on their website. So they had a breach, I think it was back in 2015. And all of the informations on there, just in terms of like, this is what happened, this is how he responded, this is what the vulnerability was and how we mitigate it. That's a nice thing to see. I mean, like, it's better than an organization sweeping that under the carpet. Mm hmm.

Ryan Purvis  10:48  
Yeah. And that's, and that's almost your trust being built, as opposed to being brought down by them be nice that they do the right things when they get when they get, you know, delta blow, so to speak. And equation for you around sort of no passwords. When I was with one of the banks, we were looking at actually moving completely away from passwords using biometrics and that sort of thing. What are your thoughts on that?

Unknown Speaker  11:12  
That's the pastors have security issues. And if you can effectively replace them with something else, you know, single factor authentication, where the factor is not a password, but you know, a device that you have access to, that can maximize the job of the hacker more difficult, you know, if there's no password, I guess, but it's some of the system. But the the problem of authentication, the problem of passwords is much bigger than that. So if an organization is looking at, you know, how do you get rid of passwords or turn off entirely and go to a no password solution? Some of the things to still consider things like, Okay, if we're authenticating with a device, what happens if a member of staff loses their device? How did they gain access? In that case? Are there risks around, you know, the help desk, the IT Helpdesk being able to grant people access those kinds of things? So yeah, password, sir, can I would generally recommend anywhere that we can minimize the impact of a weak password would have, but authentication is somewhat of a bigger problem.

Ryan Purvis  12:09  
No, definitely. With with people working remotely, and another word, do you think there's a need for the corporation to have a policy that houses have to meet a certain level of security standard?

Unknown Speaker  12:24  
So one of the things would be how do you enforce that I'm generally against policies that you can't enforce. And I would generally be against any policy that might disadvantage somebody. So if you have a company requirement that, you know, staff must have to be in an isolated environment when taking calls and those kinds of things. And people who have house chairs who may be somewhat disadvantage, wouldn't be able to work there. So there's a balance to be had there, just in terms of like the diversity side of things and making sure that people from less privileged backgrounds aren't disadvantaged by that. I think there's there's other ways of handling that problem, Dan, enforcing things through policy. And also generically, anytime a company enforces something through a policy, you know, they should have some way of making sure that that that's the case, to give you a good example, where it's really, really common to see companies put things in their password policies, like passwords must not be based on a dictionary word or something like that, and then have no technical enforcement to actually prevent you choosing, you know, password 123 or something. So policy and implementation should line up.

Ryan Purvis  13:23  
Yeah, definitely. I mean, you talked about bringing your own device and and being away from home. Yeah, I wonder, at some point to bring your own app where you start providing the custom mobile app or something like that. You can always sandbox, the functionality and the security through that,

Unknown Speaker  13:45  
yeah, bring your own devices, often implemented in that way. So there's a lot of mobile device management solutions, MDM, where that effectively is an app that's installed on the user's device so that their personal profile or work profile is separate. And also the work profile can have whatever policy enforcement the company wants, if you want a certain password length, or if the company wants something like the ability to remotely erase the device, you know, the the staff member won't be upset about the fact that the company can remotely delete all of the data because they're only deleting the data from within that containerized environment. So that's the thing that's been around for a while. And it's definitely something that I would recommend organizations look at if they're looking at BYOD bring your own device, as opposed to the kind of approach of just like, Oh, yeah, use your phone for work things. If you want to know there should be some plan net, to enable the protection of data, but also ensuring that the company can check if something's gone wrong if data is leaked, and if it has then having functions like the ability to arrest devices.

Ryan Purvis  14:46  
Daily predictions is such a difficult thing to to monitor an actual niche start really owning the entire ecosystem and a lot of VDI infrastructure that typically is the business case as a job Turning the whole environment and the users really just connecting virus and client into the data center. Yeah. Yeah, to secure that data, which works, but it's expensive, very expensive solution. Not everyone can do that.

Unknown Speaker  15:15  
I mean, it's, it's excellent. It's expensive in some regards, but but less so in others. So if you have a virtual desktop environment where people can just connect enter, a standardized environment. And whilst that might be expensive to setup, remember expensive from a licensing point of view, it can be better in other ways. So it can have lower administrative overheads, because all of the machines are standardized, it can be faster to setup, if you have a new member of staff joining the company, the faster to get them up and running. So I think organizations should consider more than just things like licensing costs and lockout you know, how does this make us more efficient as a business?

Ryan Purvis  15:55  
expenses, etc, it's it's a hurdle to begin with, can you spend the amount of money you need to spend, I think with what's coming out of Marshall, now, the VVD, I think there's an there's an AWS compete there as well, it does make the barrier a little bit lower, so that other organizations have done to the big, the big bunches can get into get on board.

Unknown Speaker  16:15  
Yeah, there's some there's some solutions in that regard, where you're, you're paying effectively per user as well, which is a bit more flexible for organizations as they scale. Because, of course, anytime you implement something, if you're trying to scale up, you need to make sure that it's good for the company today, but also good for what the company is gonna look like in three months or six months time.

Ryan Purvis  16:35  
What are your thoughts on sort of postcode? You know, what would you think there's a postcode forever? Or would you see a future where and what would their future look like from a security point of view?

Unknown Speaker  16:47  
I've seen a lot of different things from a lot of different organizations, all of which have a security impact. So some organizations are talking about spending some time in the office and some time not so maybe two days a week, those can have security implications in terms of social engineering and physical access to risks. So if there is a less standardized approach to where people are, where people are working, those kinds of things, it can just be harder to maintain a secure profile and making sure that people know what to do in the event of people accessing the office who maybe shouldn't be there who should be accessing the office, those kinds of things. I've also seen some organizations say that they're going to move away from like a headquarters office model where everybody goes to the same building, and instead have satellite offices, that can have a risk in terms of what there's more geographic areas to secure. Everything, everything affects security in a different way. And I think one of the things to do at that point, like, whatever you're planning is do threat modeling. So threat modeling is just taking a look through, you know, how does this impact security? And then how do we mitigate those risks? If you've got a lot of small offices, distributed across the country, one of the risks might be well, what if somebody accesses one of those networks and plug the device into an unintended network port or something like that? We have protections in place, we have things that can mitigate those risks. Now I can access control, for example. But of course, the company needs to take a look at what are those risks, come up with a plan and then implement the solution before kind of doing things under duress? Yeah,

Ryan Purvis  18:13  
that's for sure. And it almost it almost feels like you need to have a checklist that you can provide a generic checklist, and you have a checklist that will be specific to our using shared office space.

Unknown Speaker  18:32  
Yeah, yeah. What What is a satellite office look like as well, I think a lot of companies are considering these things from maybe a cost perspective, you know, saving money on the real estate, and that's fine. But with a satellite office, maybe be a colocation space. That would be cool. But of course, that brings along different security risks as well.

Ryan Purvis  18:56  
Besides being very noisy, from the point of view that you can see through walls, just information everywhere, which hide the words down there. There was just a picture of the wall.

Unknown Speaker  19:20  
Yeah, I mean, does that stuff but there's also things like, how is the internet connection provided? You know, if you're in a colocation environment, is it a shared internet connection? And then if it is, how do you make sure that your connection to the internet or your connection to cloud resources is secure? It's a again, fairly easy thing. Typically, virtual private network would would enable a secure connection, but it takes some thought and make sure those things are in place.

Unknown Speaker  19:44  
Yeah, definitely.

Heather Bicknell  19:46  
I guess I wanted to maybe shift gears just a little bit. And Holly first, some background. Something that we talk a lot about, on this podcast is actually something you had mentioned a little bit earlier which is just kind of like a lot of traders. Like it made in both information security and it between, you know, different factors like security and usability or functionality and sort of balancing this whole, you know, these different forces to make something that will work, you know, best for your employees will still protecting the organization. I don't know if you have any thoughts or opinions on sort of the relationship between it and information security and sort of what the best model is there?

Unknown Speaker  20:31  
Yes, I'll give you a good example of why you might get some, some tension between it and security would be applying security updates to services. So some, it people might be concerned around things like if we install an update, will it disrupt the system? Will that system need to reboot those kinds of things? Whereas the security team might be really concerned around the fact of if a security update isn't applied? Would? Would we be fundable? And of course, there's a balance to be had there, what the balance might be in that instance is, well, what is the security of debt? Because last in security awareness training, we might say something really generic and really broad, like you should install all security updates as soon as possible. Not every security update is the same level, we see this, for example, with Microsoft. So when Microsoft releases security updates, they grant them so you have critical, important optional updates. So critical dates, typically major security vulnerabilities, possibly in some instances, vulnerabilities web as a publicly known exploits that when in reality, and those should go in as soon as possible. Whereas the optional ones, there are less concern. So organizations, you know, everybody who stumbles into this problem of security versus it, and they need to come up with a plan for dealing with that. One of the plans to dealing with that, depending on company scale, and budgets could just be having a test environment. If you can roll a security update out to a test environment and see if it causes disruption, then that might give you more confidence to make that that change. Or alternatively, there could be some policy around, okay, critical updates go in as soon as possible. And important optional data is going to similar the shedule. But it's a it's a thing that an organization should should definitely take a look at, because it's a very, very common problem.

Ryan Purvis  22:16  
The thing that we talked about is that security by design step is often missed. So this is at the end is your full solution, you need to come back to apply some policy or some regulation. And you realize that your solution actually hasn't been designed in a way that makes it easy to end up with a very complicated, frustrating experience for someone else users. You know, things like, you know, multi factor doesn't work. So they build their own way of doing four, factor authentication with an email, for example, using magic links, which is different to say using an authenticator app with with the randomized six digits. So that's what I was thinking that way as you speak, is that sort of murky place that you can get stuck in?

Unknown Speaker  23:06  
Yeah, a lot of people think of security as well as just always an inconvenience. But it isn't always the case. I think a good example of that would be password managers, password managers can increase the convenience because they're handling passwords for you. So instead of having the kind of usability accessibility issue of trying to have unique long random passwords for every site, it's effectively password escrow. So it's handling that for you. And I mentioned earlier using password managers on a mobile device, and then, you know, leveraging features like face ID or features like Touch ID so that you're getting the benefit of security without it being an inconvenience. The counterpoint always is, of course, if security isn't well implemented, or isn't implemented at all, and the system that you're trying to use, you can't get that benefit, and you maybe have to find it elsewhere. And then we end up with non standardized approaches and all kinds of problems.

Ryan Purvis  23:55  
And it's funny, in a way you look at how commercial analogy is, for me is f1 Racing versus the average car. So most new technology for a motor vehicle is tested out on safety and speed, you know, in the racing arenas that are forced back into fire manufacturers into the complete sort of day to day costs. And it's and it used to be the same thing in a consumer world for technology is that most things were driven by big organizations with big budgets, pushing the limits to to deliver or meet some regulation. But that's almost been flipped around now, because the average consumer has gained because of you know, the likes of Apple and Samsung, etc, driving their mobile devices. This fader experience where, for example, you mentioned this head of manager at the apple operating system is a password manager built in and it's been there for ages. But I remember working for an organization, we We can refer them for the donors because it just a complicated thing to bring in. Meanwhile, it was probably would take away some complication.

Unknown Speaker  25:10  
Yeah, I think one of the problems there as well is if companies don't enable staff members to do these kinds of things, you know, if you don't enable staff to use password managers, what you'll find in some instances is they are using them. They're just using them in a non standardized approach. So maybe they've got the password manager on their home phone instead of their work device, those kinds of things. And it can be really frustrating. And you do see this sometimes with websites as well, if their website isn't compatible with password managers. It's just pushing people towards insecure practices, or at least non standard practices.

Ryan Purvis  25:42  
Yeah, and also putting things in browsers to a story in your browser positive cash, which which I've never been a fan of. for, for a number of reasons, I'm one of those is you got to trust the company to build a browser to be worried about putting some functionality that looks cool,

Unknown Speaker  26:00  
just does that as well. But there's also with it with any of these solutions that we've talked about today. It's like what happens when it goes wrong? You know, I've just advocated for having a password manager on your mobile device, what happens if you lose the font? And again, there's the solutions for all of those problems, right? But it's like, okay, I've sold all of my passwords in my browser, and then, you know, dropped my laptop in a puddle, and it's broken. Now, I can't look into anything, or, you know, my mobile phone is the screens cracked, and I can't see any of the tokens. I can't look into anything, the solutions, but again, it's a it's a thing to to think through as an organization, as opposed to finding himself where your IT managers dropped his phone. And that's it. Now everybody's locked out of the company.

Ryan Purvis  26:44  
Whether the POS POS, technology, you know, having a yubikey. For example, if you use a yubikey, which has a physical key to long universe, how do you get another one? What do you do in the time it takes to get the second one from when you lost the first one, to actually be able to work?

Unknown Speaker  27:01  
Yeah, and that problem gets somewhat worse as well, if you if you have non technical staff, and you're trying to help us, as staff members have more secure practices, they just might not know what the best thing is to do there. So there needs to be some awareness training to go alongside that within the company, not generic awareness training around like, hey, passwords are key should use something else. But this is what you do. In these instances. This is what you do. If you break your phone, this is what you do your laptops in accessible?

Ryan Purvis  27:30  
Have you seen from a children's point of view, any education that's been worthwhile? Who do you think this needs to be full?

Unknown Speaker  27:42  
I think one of the problems with with security that, you know, might be relevant when we talk about children is over simplifying security. You know, a lot of a lot of young people are pretty tech savvy these days, they've grown up with a lot of devices, and the usability thing isn't necessarily a problem. But if we try and over simplify these things out, dumbing it down so that we can talk to him about security, we miss some of the details that can be important. So I very often see in security awareness training, a conflation between connecting to a website where the connection is secure. So talking about HTTPS websites, and then connecting to a website where the website can be trusted. So that's in the context of phishing. And just because your connection is secure to the website, doesn't mean the website can be trusted, but they often get conflated. So you see people saying things like, oh, when you receive an unexpected email, make sure that the link has an HTTPS link, make sure you have the padlock in your browser, those kinds of things, that they're not relevant within that context, you know, having a secure connection to a hackers website isn't going to give you the protection that you think it is. So over simplifying things can can sometimes cause problems. And definitely the difference between a secure connection and a trustworthy website is one that I see sometimes completed.

Ryan Purvis  29:01  
Yeah, I mean, I just wonder if there's not a level of educating a young age things like be aware of protecting your data. So you mentioned HTTPS? Yeah. Maybe not maybe less technical, but at least be aware to look at those things or, you know, most kids will grow up today with email, and social media accounts, and how do you, you know, how do you approach that? How do you behave on those those?

Unknown Speaker  29:26  
Well, you can you can approach these things in a non technical way. We've just had a quite long conversation around cybersecurity, passwords and those kinds of things. We haven't got into the details around entropy, and all of that kind of cryptographic fundamentals, because you don't necessarily need to have somebody who's informed about the risks. So you know, just because a person might be non technical or might just be young, you can still explain to them what those risks are without getting kind of knee deep in technical detail. Yeah,

Ryan Purvis  29:55  
yeah, you're right. I mean, it is it is also the courses approach. Now, I'm using this example before, but I watch sort of the kids around us, and how they're on devices all the time, and not really worrying too much about what they what they're doing on the devices, or what the information they're sharing. And a lot of that is pushed on the parents to know, to teach to immerse, the parents don't know, what's good and bad.

Unknown Speaker  30:24  
Yeah, that is that is true. And in terms of whose responsibility is it, you know, I think a lot of people might just fall back to the parents should do it. But if they don't know themselves, then, you know, there needs to be some resources. And there are resources out there. So you know, within the UK, for example, we have the National Cybersecurity center, who puts a lot of resources out there. A lot of those are focused around business, but trying to simplify things for for people so that they understand the different categories of risk and those kinds of things. So yeah, it doesn't necessarily have to fall on to the parents that they can just be, you know, resources, perhaps put forward by the government and things like that.

Ryan Purvis  31:01  
I mean, if someone wanted to get into suburban areas, would you point them to start off with education, what have you or getting their hands dirty?

Unknown Speaker  31:13  
entirely depends on on who you are. And I think this is one of the things with with cybersecurity, where you'll hear people say things like, Oh, you don't need a degree, that doesn't mean that you shouldn't get one doesn't mean that that doesn't work for you, I think the best part about cyber is there's a lot of different approaches. And if you want to go to university and get a degree, then you could get an ethical hacking degree or like myself, I have a master's in information security. So it's a little bit more generic. That is the path in Alternatively, you could go for a technical apprenticeship, you could just do hands on, you can do the hobbyist approach. There's a lot of different ways. And I think that the first step for somebody who's kind of interested in security and doesn't know where to start, as you know, realize that security is a huge field and try and get hold of the knowledge, you know, try and work out what parts interesting. So what I do is that the braking side of security, right, it's the penetration testing, as we call it within the industry, you might like security, but not like the the braking department, you might want to work on the defensive team. So you might want to work on the analysts team. So those kinds of things. So the thing, the place to start is just you know, realize it's a huge industry and take a little look around at what the different jobs are. And then when you find out the job that works for you, then look at how can you get those skills and the emphasis areas on you what what works for you. So there's academic approaches, there's hands on learning, the things like for the security side that I do the things like vulnerable virtual machines, there's a lot of different ways that you can pick this up. And I don't think you should ever be kind of shoehorned into an approach that doesn't work for you

Ryan Purvis  32:39  
to try and move into now. And so since anything you need to conquer once you understand the ecosystem, because it is big, as you say. And then he sort of on one of the courses to do, it's a good course to do in the sense it's an essentials course. But it is about finding a network, finding people that are doing it right now and, and sort of getting the day job view of what it is.

Unknown Speaker  33:04  
Yeah, and it's completely fine to change your mind as well, you might start start making moves towards a secure development role or something like that, and then realize breaking departments more interesting and mechanistic? Because all of that knowledge, all of the fundamental it knowledge, all of the security knowledge is going to be useful.

Ryan Purvis  33:20  
Yeah, yeah, I think to this level also being because it's quite a young industry in a lot of ways. The more diverse your background is, the better. There's a lot of technical people in the field that actually coming from so marketing or, or business field and coming in from that angle might be more beneficial in some respect.

Unknown Speaker  33:38  
Yeah, absolutely. Or even within it. So for example, we recruit from a sysadmin background so that people have a good networking understanding, we recruit from software development backgrounds, or have a good you know, building applications and knowledge or we recruit graduates and from ethical hacking degree straight into into penetration testing roles. So there's a lot of different ways to sidestep within the industry within broader it, but also within cybersecurity. Um, yeah, so

Heather Bicknell  34:03  
I guess on on this vein, or there, I'd be curious to know, since we're sort of on the career conversation, Holly, sort of what what are the what are your, you know, what are your favorite parts of the job? Like, why did you decide to specialize in the braking side? And then also, like, Are there any sort of skills or qualities that you think really set people up for success in that kind of role,

Unknown Speaker  34:28  
even within the braking department, within penetration testing, there's a huge variety of roles. So no matter what kind of person you are, you'd probably find something here that that is interesting to you. So give you two good examples of that. When it comes to things like exploit development that's really hands on needy technical stuff, you're probably going to spend a lot of time staring at command line. Whereas on the other side of this same job role does things like social engineering, which is a lot of face to face interactions, a lot of communicating, that could be preparing and sending phishing emails or might be physical access into buildings. It could be coercing people over over the phone. So we've got everything from kind of independent working on highly technical things right up to social engineering. So in terms of qualities, I think the big thing is just don't discount yourself. If you see a certain stereotype within this industry, don't think that you don't match that there could still be a role for you. And you are absolutely right, that there's a big place for people of diverse backgrounds. And the big thing there would just be, I'll take a look at the roles, find the parts of the roles that you like the most. And then no doubt there'll be an organization out there that works well for you. Yeah, that's

Heather Bicknell  35:34  
great advice. I know we're sort of running up a little bit on time here. So I wanted to shift a little bit to the future conversation, if that works for you all, but actually what I've been thinking about this, and I was actually scrolling LinkedIn, because there was a post that I wanted to kind of pose to both of you because it caught my eye the other week. And it was from Citrix. They ran a poll that said, according to their research by 2035, implanted tech, could make employees exceptional at their jobs or deem them to burn out, would you ask employees to go under the knife? And until I'm going to wait to reveal what the yes or no split was on this, but I'd love to hear what both of you think about. If that's going if that's like an eventual, you know, eventuality like that we do and plan to tack on employees, or if that's just kind of like a no go like, you know, sci fi experiment.

Unknown Speaker  36:27  
I absolutely don't, under any circumstances, think my employer or my girlfriend should have any control over my body? Mm hmm. So there you go. That's a really direct and really blunt answer. But no,

Ryan Purvis  36:38  
I think we all know, I wouldn't trust them. If you just look at the amount of conspiracy theories that are floating around, because as far as I can Nicola scam, etc. I don't think anyone in good conscience will allow the government to do that. But I think, you know, generations from now become normal.

Heather Bicknell  37:00  
Okay, I guess it's a good time for me to reveal what the split was on the poll was 88%. No, which is it's a it's high. But what really struck me was the 12%. Yes, that there be over, you know, 10% of the 400 people who answered this poll who could see that happening in the future? So I just thought it was interesting.

Ryan Purvis  37:20  
But I think it comes down to trust. I don't think many, many people trust the governments to pay at the moment. So you probably get a very high, no. But if things are going well, and there's a clear benefit to doing it, then you probably wouldn't see more. Yes. And so

Unknown Speaker  37:37  
the counter argument is which government? So one of the difficulties they have at the moment, of course, is if you travel the tech and electronic device, through an apple, then you can you can pass through several jurisdictions on a journey. And you know, which government you might you might infinitely trust your own government, and then you might travel on holiday for work to enter the country by the laws, or the regulations are slightly different. And that could cause you an issue. Yeah,

Heather Bicknell  38:02  
I mean, I guess Personally, I mean, much more keen to do some sort of, you know, either like a, you know, some sort of just face ID or fingerprint scan or whatever for to be passwordless. like that very much appeals to me, but I am struggling to see any other like a strong applicant. I mean, I see some security applications, I guess, for the implanted tech. But I think there are other ways you could do it without, you know, an implant.

Ryan Purvis  38:29  
There's a couple books series that are really where we're having the your muscles go with his brain thing, having some brain, the brain to lay to be connected and download data or like other stuff.

Unknown Speaker  38:43  
There's some there's an interesting link here into the US legal side of things in terms of the Fifth Amendment. So I'm not a lawyer. But it's an interesting thing to look into for those who are interested in terms of compelled speech into the Fifth Amendment. So it's my understanding that US law enforcement can't force you to disclose a password, but can force you to unlock a mobile device that's protected by biometrics. So if you have an iPhone that's protected with Touch ID that can compel you to unlock that, but it has nothing to do the PIN code, the current account. So there's those regulations as well. So when you think of things like implants, how that plays into compelled speeches is important.

Heather Bicknell  39:20  
I mean, this is a sir I just wanted to say that I mean, this is a big thing even with all the protests and everything that's been happening in the US and travel and and anything else when face ID came out from Apple, it was a big conversation around like, you know, for going to a protest or if you're going to, you know, do something turn off your face ID and switch to a you know, a different code or something like that, so that well can't, phone can't be cracked. Yeah,

Unknown Speaker  39:45  
there's this thing that you can actually disable the biometrics on iPhones without unlocking them. So that's, that's, again, a security awareness thing. And if you pass them through an airport as you're passing through sign jurisdictions, and you need to turn those things off, or I guess more directly for some people, maybe If you're being pulled over by the police, you can disable those things without unlocking the devices. And, you know, for some instances, those kinds of things are important.

Ryan Purvis  40:10  
Remember, properly, but I think at Hong Kong airport, when you walk through the doing some sort of facial recognition, this has been going on for years to speed on possible processing, and still running, but there was a thing of for a while.

Unknown Speaker  40:26  
Yeah, a lot of airports have biometrics for those who have biometric passports. But again, that the concern isn't necessarily that the technology, it's how it's used, and who controls and that way. You know, first, it is a wonderful thing, thing increases convenience and certain instances is great. But to be able to have warrantless searches is not great. So, again, it's just it falls into that problem of securities. Well, it depends.

Ryan Purvis  40:54  
Yeah, exactly. You mentioned the facial recognition. I remember there was a case in the US where a lady was trying to get an open phone. And she refused to open it with a password. And then because of facial recognition of Amazon's open the photo.

Unknown Speaker  41:08  
Yes. Yeah. So that's, that's the fifth amendment issue within within the US, that's a law that that fits under, is my understanding. But yeah, that's how that works as an interesting detail for those who are concerned by that. And Apple, therefore introduced a feature where you can disable the biometrics just from the phone depends on the version of the phone, but power button and the volume button together will disable that. So if you ever are in that situation, then you can you can protect yourself. And I think this this gets into that that difficult kind of policy area where some people would say, well, the police should be able to do you know, law enforcement should be able to do investigations as kinds of things. Yeah, I agree. That's why warrants exist.

Ryan Purvis  41:46  
Figure that out from my phone. I think it's a useful feature. Great. I think we're out of time. So maybe just tell everyone where they can find you on social media

Unknown Speaker  41:58  
twitter.com forward slash Holly grasshopper.

Ryan Purvis  42:02  
Super, and LinkedIn as well

Unknown Speaker  42:04  
would be Sam on Talia gressil.

Ryan Purvis  42:08  
Fantastic. Well, thanks so much for your time. It's been great chatting.

Holly Grace Williams  42:12  
Thanks for having me.

Ryan Purvis  42:13  
Yeah, appreciate it. So if there's anything from you

Heather Bicknell  42:17  
know, I just I really appreciate the conversation. Holly was really interesting, and thanks for diving into it with us.

Holly Grace Williams  42:23  
No problem. Thanks.

Ryan Purvis  42:28  
Thank you for listening today's episode. Hey, the big news producer editor. Thank you for your hard work on this episode. Please subscribe to the series and rate us on iTunes or the Google Play Store. Follow us on Twitter at the DW w podcast. The show notes and transcripts will be available on the website www digital workspace that works. Please also visit our website www dot digital workspace that works and subscribe to our newsletter. And lastly, if you found this episode useful, please share with your friends or colleagues.

Transcribed by https://otter.ai

Holly Grace Williams

Managing Director, Secarma Limited

Holly Grace Williams has thirteen years of experience in leading information security teams. Her early career was spent in the military working in roles such as Site Security Officer, although she now works with a wide range of organisations delivering penetration testing, information security consultancy, and strategy guidance. She holds a Master’s degree (MSc) in Information Security from Cardiff University.